What’s Behind the Push for Cybersecurity Legislation?

President Obama is adamantly pushing to standardize how data breaches are reported to consumers and stakeholders at the federal level, potentially ending decades of state-specific policy that varies wildly from state to state. Tuesday night’s State of the Union address solidified cybersecurity’s place in the list of current national priorities, but there was an astonishing lack of attention paid to the issue leading up to this legislative push. What recent events have moved it up on the list?

November 2014: The Sony hack
The Sony Pictures Entertainment cyberhack came to national attention on November 24th, 2014, when hackers calling themselves the “Guardians of Peace” released personal information about Sony employees, their salaries, emails, copies of unreleased films, and more. U.S. intelligence has pointed to North Korea as sponsors of the hack, but North Korea continues to deny all responsibility. It’s unknown how long the hackers had access to Sony’s infrastructure, but it could have been longer than a year, with the hackers claiming to have stolen over 100 terabytes of data.

While it’s too early to know how much the cyberattack will cost Sony – in lawsuits from employees over lost personal data, leaked films, hardware and software repair/replacement, brand damage, stars demanding higher compensation based on peers’ salaries, etc. – it’s been estimated that this will be the most expensive data breach of all time, potentially coming in at as much as $300 million. And the costs are coming not just from a corporation’s endless pockets; the costs will undoubtedly trickle down to affect the income of American families employed by Sony and its affiliates.

December 2014: Obama signs five cybersecurity bills
On December 18th, Obama signed five cybersecurity bills into law ending months of legislative back-and-forth with a definitive statement that this cannot wait. The bills were intended to get the ball rolling after years of outdated, patchwork security policies, and include the following legislation:

Identifying key cybersecurity positions at the Department of Homeland Security
Requiring the Department of Homeland Security to assess the cybersecurity workforce and put a plan for improvement into place

Creating a National Cybersecurity and Communications Integration Center, a 24-7 incident response and information hub for the federal government, intelligence, and law enforcement

Involving the Department of Commerce and Office of Science and Technology to develop risk-reduction and cybersecurity research plans, respectively

January 2015: Cybersecurity for the new yearOn January 12th, Obama announced his proposal of cybersecurity measures aimed at creating a “single, strong national standard” for cybersecurity, particularly in the wake of the Sony hack. The Act has two initiatives getting the most press:

The Personal Data Notification and Protection Act, which sets a 30-day requirement for companies to notify consumers if their information has been exposed

The Student Digital Privacy Act, which seeks to protect data collected in educational contexts so that it is not sold to third parties or used in targeted advertising

“This is a direct threat to the economic security of American families,” President Obama said in his speech at the Federal Trade Commission. “If we’re going to be connected, then we need to be protected.”

Ironically, while Obama was speaking, hackers breached the Twitter and YouTube accounts of the U.S. military’s Central Command, specifically threatening American soldiers. Obama addressed this the next day and reiterated that this is a bipartisan issue requiring immediate action: “With the Sony attack that took place, with the Twitter account that was hacked by Islamist jihadist sympathizers yesterday, it just goes to show how much more work we need to do.”

Tune in to the Arc blog next week for a recap of what Tuesday night’s State of the Union address means for cybersecurity legislation this year.

[Your user agent does not support frames or is currently configured not to display frames. However, you may visit the related document.]